Firewall Wizards mailing list archives
RE: IP in IP and FW1
From: "Safier, Adam (GEIS)" <Adam.Safier () geis ge com>
Date: Wed, 24 Sep 1997 18:55:38 -0400
Collin's answers are preferred with 2 being my favorite. But, if you cannot do that you might try overloading the r2-fw1 interface with a second IP address, say a class 1918 address. You then set that as the internet default or proxy server or gateway for Net1 users. They go to the firewall which decrypts and then uses it's own routing table to forward to the allowed destination which is back out the same physical interface to R2. This is a guess - haven't been there, haven't done that with SecureRemote - but overloading works and your firewall rules can be set by IP address of the interface. However, some rules may conflict and you may need to relax your policy - which could be risky. Really should change to Colin's option 2.
-----Original Message----- From: Colin Campbell [SMTP:sgcccdc () citec qld gov au] Sent: Wednesday, September 24, 1997 4:00 AM To: firewall-wizards () nfr net Subject: Re: IP in IP and FW1 Hi How about one of two solutions: 1) replace R1 with Cisco running 11.2 IOS and do NAT on the router. 2) restructure the LAN to be: Internet ^ | R2 | NET1 ------ R1 ---------- FW1-------------- NET2 Colin My mailer thinks Neale Banks said:Hi, I have been asked to advise on a problem with a RFC1918 subnet thatneedsto communicate with the Internet via FW-1 and NAT. A picture is worth a thousand words, so: Internet ^ | NET1 ------ R1 ---------- R2 ---- FW1------ NET2 The main complication here is that both NET1 and NET2 are usingRFC1918addresses, and R2 also has the default route to the internet.IdeallyInternet traffic from FW1 SecuRemote clients on NET1 would bedirected tothe FW1 and NATed to assigned address space before venturing to the internet.
Adam --------------- Adam Safier, Network Engineer/Security Consultant GE Information Services, Inc. 401 North Washington St., Rockville, Md. 20850 Ph: 301-340-5737 Internal: 8*273-5737 Fax: 301-340-4005 Adam.Safier () geis ge com http://www.geis.com I'm proud to live in a country where I can express my personal opinions. The opinions above may not be shared by my employer. ---------------
Current thread:
- IP in IP and FW1 Neale Banks (Sep 23)
- Re: IP in IP and FW1 Colin Campbell (Sep 24)
- <Possible follow-ups>
- Re: IP in IP and FW1 keithcha (Sep 24)
- RE: IP in IP and FW1 Safier, Adam (GEIS) (Sep 24)